CVE-2024-26153
Published: 17 January 2025
Summary
CVE-2024-26153 is a medium-severity CSRF (CWE-352) vulnerability in Etictelecom Remote Access Server Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-26153 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting all versions of ETIC Telecom Remote Access Server (RAS) prior to 4.9.19. The issue stems from the "setconf" method request lacking any CSRF token requirement, allowing forged requests to be processed.
An external attacker requires no access or privileges on the device (PR:N) and can exploit this over the network (AV:N) with low complexity (AC:L), but it demands user interaction (UI:R). By tricking an authenticated end user into submitting the forged request—such as via a malicious webpage—the attacker achieves a denial of service (A:H) on the device, with a changed scope (S:C) and no impact on confidentiality or integrity (C:N/I:N). The CVSS v3.1 base score is 7.4.
The CISA ICS Advisory ICSA-22-307-01 provides further details on this vulnerability at https://www.cisa.gov/news-events/ics-advisories/icsa-22-307-01. Updating to ETIC Telecom RAS version 4.9.19 or later addresses the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-23430
Vulnerability details
All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.9.19 are vulnerable to cross-site request forgery (CSRF). An external attacker with no access to the device can force the end user into submitting a "setconf" method request, not…
more
requiring any CSRF token, which can lead into denial of service on the device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing RAS web interface directly enables exploitation via T1190; delivery requires malicious link tricking authenticated user (T1204.001) to trigger DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 directly protects against CSRF attacks by requiring mechanisms such as unique session tokens to validate the authenticity of state-changing requests like the vulnerable 'setconf' method.
SI-10 mandates validation of information inputs, including CSRF tokens on the 'setconf' endpoint, to reject forged requests from external attackers.
AC-3 enforces access control policies that can incorporate CSRF token checks to prevent unauthorized execution of the 'setconf' method via user interaction tricks.